trojano 213

Avast Free Antivirus / Premium Security
1

Hi

Avast! keeps alerting me that my computer is infected with the trojano 213 virus, but everytime I hit “delete,” Avast can never find the file. Is there any way to correct this?

2

What file is reported as infected and what is its location?
What os are you using?

3

Pantsed,

It may be because the trojan is located in a password protected or system file which Avast cannot access.

This usually occurs with vital system operating files or those found in the System Restore points.

Once you give us the full path, then we can give you a better method to correct the problem.

Thank you for joining the forum.

4

Hi

I’m running Windows XP, and the file is c:\temp\instal~1.exe

I scheduled a boot time scan, and that seemed to work for a while. Avast! would scan my computer and not find anything. But, like a bad horror movie villain, it’s back with a vengence.

5

You not only have to get rid of the trojan you also need to get rid of some of the supporting things in registry that could be reloading it.

You need to run a program called hijackthis, see Eddy’s HiJackThis Info and Analysis page,

HijackThis log file analyzer and follow the directions there and get back to us if you need more help…

6

Pantsed,
try disabling system restore, schedule a boot time scan, then before re-boot go to start/run/cmd

enter this command

del C:\temp*.*

press enter

reboot and let the scan complete.

7

Hi

I used hijackthis and deleted the dangerous files. I also desabled system restore and deleted my temp folder. Everything seemed fine, but a couple of days later Avast! alerted me that trojano-213 was back and wouldn’t let me delete it.

My computer is on a network. I think that perhaps this virus is infecting the whole network, and that everytime I delete it, the network just reinfects my computer with it.

This trojan always starts off in my temp folder before moving to other parts of my computer. Is there a way to put a block on a specific folder for this specific file?

8

PS

I did a google search for trojano-213, and I guess it’s a malware program. I have ad-ware in addition to avast!, and it gets most of the stuff off my computer, but like I said in my previous post, I think my netword might be reinfecting me.

9

If you think that then you should take the same steps in the other pcs in the network.

We asked you to post/paste a copy of the contents of your hijackthis.log (would need to be renamed to a .txt file), paste would be better. That way others can check it and give further advice/help if required.

10

Here’s my log file.

Logfile of HijackThis v1.98.2
Scan saved at 7:28:42 PM, on 10/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows SyncroAd\SyncroAd.exe
C:\Program Files\Windows SyncroAd\WinSync.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Aim\aim.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\hijack\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM..\Run: [armjghbi] C:\WINDOWS\system32\okvfgyb.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - Global Startup: Reboot.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Win32 Classes -
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

Thanks!

11

An online scan of your Hijackthis file can be done here.
Just cut and paste it into the window.

http://hijackthis.de/index.php

It would seem that all updates to your o.s haven’t been applied yet.

12

I checked your log using Eddy’s Log File Analyser (which is available to you on his site). I gave you the link in a previous post.

I assume that at one point you used the on-line PestScan.

THESE ITEMS ARE HARMFULL AND SHOULD BE FIXED/REMOVED :

o3 - toolbar: (no name) - {2cde1a7d-a478-4291-bf31-e1b4c16f92eb} - (no file)
o16 - dpf: win32 classes -
o16 - dpf: yahoo! literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
o16 - dpf: {2fc9a21e-2069-4e47-8235-36318989db13} (ppsdkactivexscanner.mainscreen) - http://www.pestscan.com/scanner/axscanner.cab

As inthewildteam mentioned your OS is not fully up to date.

13

there are some nasties missing in the analyzer’s log:

→ see here another analysis:
http://hijackthis.de/logfiles/de40382e426c1fcc761c7844a51dfb04.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
c:\windows\SYSTEM\blank.htm
→ Nasty (except if you put it there on your own, but try fixing it first…)

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} -
(no file)
→ Possibly nasty

O4 - HKLM..\Run: [armjghbi] C:\WINDOWS\system32\okvfgyb.exe
→ very fishy!

O4 - HKLM..\Run: [Windows SyncroAd] C:\Program Files\Windows
SyncroAd\SyncroAd.exe
→ Nasty

O4 - Global Startup: Reboot.exe
→ fishy (why reboot on startup…? or is this a tool for fast-reboot-on-a-click ? - e.g.:
http://sysinfo.org/startuplist.php?filter=reboot.exe )

And disable system RESTORE (or make sure it’s still disabled) before fixing/cleaning !! → how-to: see link “VirusRemoval” below in my sig
:wink:

also browse through these topics:
http://www.google.de/search?hl=de&q=trojano-213&meta=

P.S.: was the log-file made right when the avast-alert came, before, or after deleting the file… ?